Apple Fixes Thunderstrike and Other Vulnerabilities in Latest OS X Beta
A few weeks ago, security researcher Trammell Hudson discovered a vulnerability in Apple’s low-level firmware that could allow a rogue Thunderbolt device to flash its own code to a Mac’s boot ROM. This type of bootkit, dubbed “Thunderstrike” since it relies on Thunderbolt IO as an attack vector, would be very difficult to remove or even detect.
Thunderstrike works by injecting an Option ROM into a Mac’s EFI. What that essentially means is that a malicious Thunderbolt device can replace Apple’s firmware with its own rogue version, without leaving any traces. Since this type of firmware isn’t stored on the hard drive, simply reinstalling the OS would not remove Thunderstrike. Furthermore, Thunderstrike replaces Apple’s cryptographic signature, which is used to verify firmware integrity. Fortunately for Mac users, the latest OS X beta includes a fix for Thunderstrike, and a public patch shouldn’t be too far away.
UPDATE: OS X 10.10.2 has been released to the public. If you own a Mac, simply go to the Mac App Store to download and install the update.
Thunderstrike Patched in OS X 10.10.2 Beta
Since Thunderstrike requires physical access to a target machine, the issue is not as serious as it could have been. Furthermore, aside from Thunderstrike, there are no known Mac bootkits in the wild, and Thunderstrike is mainly a proof-of-concept, anyway. That being said, the vulnerability still exists, and Hudson has discussed the patch with Apple.
Hudson demonstrated his proof-of-concept at the Chaos Communication Congress in December. According to his research, Apple’s latest Mac Minis and Retina 5K iMacs are already immune to Thunderstrike, and Apple’s engineers have been developing a patch for the rest of the Mac product line. According to a report from Apple news site iMore,
“To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac’s boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again. According to people with access to the latest beta of OS X 10.10.2 who are familiar with Thunderstrike and how it works, that’s exactly the deep, layered process that’s been completed.”
However, Hudson also told Ars Technica that he hasn’t yet tested Apple’s latest patch.
“The version [of the patch] that I tested in Hamburg was still subject to downgrade attacks and I demonstrated it for Apple… Hopefully they have fixed that bit, although the fact that they are leaving Option ROMs enabled at all really worries me.”
Other Unrelated Vulnerabilities Fixed in 10.10.2
Google’s Project Zero security research team recently disclosed three OS X vulnerabilities to the public (here, here, and here). Project Zero offers companies a 90-day window to fix vulnerabilities before disclosing them to the public – a policy designed to give companies ample time to address security issues while also incentivising them to provide patches in a timely manner. On their own, these exploits aren’t that critical as they require some sort of access to the target machine, either physical or remote. However, these exploits can potentially be combined with other attacks to escalate privileges and take over the target machine. One of the vulnerabilities was already fixed with the release of OS X Yosemite (10.10), and the other two appear to have been fixed in 10.10.2.
While it’s important to be informed of new vulnerabilities, most Mac users shouldn’t have anything to worry about. These exploits require direct access to target machines, and patches are already on the way.
Images from Shutterstock.